Automated Driving Puts Added Emphasis on Cybersecurity for Connected Trucks

Image

This story appears in the June 12 print edition of iTECH, a supplement to Transport Topics.

As commercial trucks become increasingly connected to the internet, concerns about vehicle cybersecurity are growing, particularly with the trucking industry continuing its push toward more advanced automated driving systems.

A number of passenger car hacks over the past few years were widely reported, and last year a heavy-duty truck was hacked as well, “but when you look at these hacks, they were all controlled experiments,” said Mark Botticelli, executive vice president and chief technology officer at PeopleNet, a provider of onboard telematics systems for trucks.

Perhaps most famously, cybersecurity experts remotely accessed the controls of a Jeep Cherokee through its entertainment system in 2015, prompting a recall.



BEST OF JUNE iTECH: More stories, columns

LIVEONWEB: Watch replay of 'The Road to Automated Driving'

While those breaches were conducted by researchers rather than hackers with malicious intent, they nonetheless heightened awareness and put the industry on alert, Botticelli said.

That awareness also generates fear, uncertainty and doubt, he said, “so whether it’s real or perception, you have to address it.”

Despite fears about hackers commandeering vehicles, manufacturers generally segment systems so that one cannot simply go from accessing the air conditioning system to controlling the brakes and steering, said Paul Menig, founder and CEO of consulting firm Tech-I-M.

“They do things so you can’t take control of the radio and get to the engine computer,” said Menig, who previously led the mechatronics group at Daimler Trucks North America.

Telematics systems are “primarily listening for problems” and are not generally connected to the engine controls, he added.

However, certain truck manufacturers and engine makers have begun to enable remote engine programming.

“Now you have some problems,” Menig said, noting that security steps are built into processes for accessing remote programming capability.

Implementing an automated system for password protection could help protect trucks in dealerships and in fleet operations, Menig suggested. But computers typically have “some cybercode buried” in them that enables them to recognize each other, and that itself could offer a way into computers, he said.

Trucks are continually in and out of multiple service centers, making them a challenge to control, Menig said. The diagnostic port is intended to be used by people with the right codes so they can test various systems.

“In order to be able to do an engine test you have to be able to rev the engine,” Menig said. “Or you have to be able to cut off the engine — to defuel it to see that the accelerator pedal connection is working correctly. So all the things we put in for diagnostics on the vehicle — in the wrong hands — enable somebody to do something.”

There also is an earlier parallel for people carrying out intrusions or takeovers on trucks.

“For the last 25 years, we’ve had electronic controls for trucks,” Menig said. “One of the features in the electronic control is a road speed governor or speed limiter. How many times have you heard of some driver somehow magically reprogramming that speed limiter, maybe with the help of a rogue technician somewhere? That’s cybersecurity right there.”

The National Motor Freight Truck Association issued a cybersecurity advisory last September recommending that carriers separate networks where computers have remote access to vehicle systems from those used for routine business or office functions such as e-mail, working on documents and internet searches.

Telematics companies such as PeopleNet and Omnitracs are members of NMFTA’s heavy-vehicle cybersecurity team, along with Paccar Inc., Volvo Trucks North America, American Trucking Associations, the U.S. Department of Transportation and the Department of Homeland Security. The group meets a few times a year, Botticelli said.

PeopleNet has an ongoing cybersecurity program focused on managing the threat of exposure by searching for vulnerabilities and ways to reduce or eliminate them, in part by tightening up code.

The telematics provider works with Rapid7 and NCC Group, companies that specialize in penetration testing and threat modeling.

If a telematics control box were stolen from a truck, for example, the question is what could be done with it, Botticelli said. Whether physical control could lead to reverse engineering of the controller and exploiting it wirelessly is “the crux” of the concern, he said.